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Abstract 

It is well known that a quadratic function denned on a finite field 
of odd degree is almost bent (AB) if and only if it is almost perfect 
nonlinear (APN). For the even degree case there is no apparent rela- 
tionship between the values in the Fourier spectrum of a function and 
the APN property. In this article we compute the Fourier spectrum of 
the quadranomial family of APN functions from [S]. With this result, 
all known infinite families of APN functions now have their Fourier 
spectra and hence their nonlinearities computed. 



1 Introduction 

Highly nonlinear functions on finite fields are interesting from the point of 
view of cryptography as they provide optimum resistance to linear and differ- 
ential attacks. A function that has the APN (resp. AB) property, as denned 



below, has optimal resistance to a differential (resp. linear) attack. For more 
on relations between linear and differential crypt analysis, see [T3] . 

Highly nonlinear functions are also of interest from the point of view of 
coding theory. The weight distribution of a certain error- correcting code is 
equivalent to the Fourier spectrum (including multiplicities) of /. The code 
having three particular weights is equivalent to the AB property, when n is 
odd. The minimum distance of the dual code being 5 is equivalent to the 
APN property holding for /. 

For the rest of the paper, let L = GF(2 n ) and let L* denote the set of 
non-zero elements of L. Let Tr : L — > GF(2) denote the trace map from L 
to GF{2). 

Definition 1 A function f : L — > L is said to be almost perfect nonlin- 
ear (APN) if for any a G L* ,b G L, we have 

\{x G L : f(x + a)-f(x) = b}\ < 2. 

-> L, the Fourier transform of f is 

^\Tr(ax+bf(x)) 



Definition 2 Given a function f : L — 
the function f : L x L* — > Z given by 

f(a,b) = J2(- 



The Fourier spectrum of / is the set of integers 

A f = {f{a,b) : a,b G L,b ^ 0}. 
The nonlinearity of a function / on a field L = GF(2 n ) is defined as 

NL(f) := 2 n ~ l - - max |x|. 

2 x€Af 

The nonlinearity of a function measures its distance to the set of all affine 
maps on L. We thus call a function maximally nonlinear if its nonlinearity 
is as large as possible. If n is odd, its nonlinearity is upper-bounded by 
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2 n 1 — 2™2 1 ) while for n even a conjectured upper bound is 2™ 1 — 2a 1 . 
For odd n, we say that a function / : L — ► L is almost bent (AB) when 
its Fourier spectrum is {0, ±2 _ 2 - }, in which case it is clear from the upper 
bound that / is maximally nonlinear. We have the following connection (for 
odd n) between the AB and APN property: every AB function on L is also 
APN [T3], and, conversely, if / is quadratic and APN, then / is AB [12J. In 
particular, quadratic APN functions have optimal resistance to both linear 
and differential attacks. On the other hand, there appears to be no relation 
between the nonlinearity NL(f) and the APN property of a function / when 
n is even. The reader is referred to [TU] for a comprehensive survey on APN 
and AB functions. 



2 New Families of Quadratic APN functions 

Recently, the first non-monomial families of APN functions have been dis- 
covered. Below we list the new families of non monomial functions known at 
the time of writing. 



f(x) = x 2 +i + ax 2 +2 

where n = 3k, (k,3) = (s,3k) — 1, k > 3, i = sk mod 3, m = — % 
mod 3, a = t 2 ^' 1 and t is primitive (see Budaghyan, Carlet, Felke, 
Leander [Hj). 



f(x) = x 2 +i + ax 2 +2 

where n = 4k, (k, 2) = (s, 2k) — 1, k > 3, i = sk mod 4, m = 4 — i, 
a = t 2k ~ 1 and t is primitive (see Budaghyan, Carlet, Leander [7]). This 
family generalizes an example found for n = 12 by Edel, Kyureghyan, 
Pott PS]. 



3 



3. 

f{x) = ax 2S+1 + a 2k x 2k+s+2k + Px 2k+1 + ^ llX 2k+l+2 \ 

i=i 

where n = 2k, a and (3 are primitive elements of GF(2 n ), and ji G 
GF{2 k ) for each i, and (k,s) = 1, k is odd, s is odd (see Bracken, 
Byrne, Markin, McGuire [2]). 

4. 

f(x) =x 3 + Tr(x 9 ), 
over GF(2 n ), any n (see Budaghyan, Carlet, Leander p2j). 

5. 

. . 2 k 2~ k +2 k+s , 2 S +1 , 2~ k +l , 2 fc +l 2 fc+s +2 s 

j(x)=a x ^ + ax ^ +vx ^ + wa ^x ^ 

where n = 3k, a is primitive in GF(2 n ), v,w e GF(2 k ) and ftw ^ 1, 
(s, 3fc) = 1, (3, k) = 1 and 3 divides /c + s (see Bracken, Byrne, Markin, 
McGuire 0). 

In pQ the Fourier spectra of families (1) and (2) are computed. The 
determination of the Fourier spectra of families (3) and (4) has been given 
in [3] and jl], respectively. In this paper we calculate the Fourier spectra 
of family (5). We will show here that the Fourier spectra of this family 
of functions are 5- valued {0, ±2t 5 ±2^} for fields of even degree and 3- 
valued {0,±2^~} for fields of odd degree. In this sense they resemble the 
Gold functions x 2d+1 , (d,n) = 1, as indeed do all five APN functions listed 
above. For fields of odd degree, our result provides another proof of the APN 
property. This does not hold for fields of even degree; as we stated earlier, 
there appears to be no relation between the Fourier spectrum and the APN 
property for fields of even degree. Thus, the fact that / has a 5- valued Fourier 
spectrum for fields of even degree does not follow from the fact that / is a 
quadratic APN function. Indeed, there is one example known (due to Dillon 
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[14] ) of a quadratic APN function on a field of even degree whose Fourier 
spectrum is more than 5-valued; if u is primitive in GF(2 6 ) then 

g(x) = x 3 + u u x 5 + u 13 x 9 + x 17 + u n x 33 + x 48 

is a quadratic APN function on GF(2 6 ) whose Fourier transform takes seven 
distinct values. 



3 The Fourier Spectrum of Family (5) 

We shall make use of the following lemma, a proof of which can be found in 

in- 

d 

Lemma 1 Let s be an integer satisfying (s,n) = 1 and let f(x) = r^x 2 " 

i=0 

be a polynomial in L[x\. Then f(x) has at most 2 d zeroes in L. 

Theorem 2 Let f(x) = a 2 ' " x 2 + 2 +s _|_ a x 2S+1 + vx 2 ~ k+1 + wa 2k+1 x 2k+s+2S , 
where n = 3k, a is primitive in GF(2 n ), v,w £ GF(2 k ) and vw ^ 1, 
(s,3k) = 1, (3, k) = 1 and 3 divides k + s The Fourier spectrum of f(x) 
is {0, ±2 _ 3 - } when n is odd and {0, ±2§, ±2 _ 2 - } when n is even. 

Proof: The Fourier spectrum of / is given by 



/(a,6) = X)(-l 



^ Tr(ax+bf(x)) 



Squaring gives 



f( a} b) 2 = ^ y^^_ 1 ^Tr(ax+bf(x)+ay+bf(y)) 
x&L y£L 

_ ^ y^^_^ r Tr(ax+bf(x)+a(x+u)+bf(x+u)) 



x£L u£L 

from the substitution y = x + u. 
This becomes 



/(a, b) 2 = ^ {-l) Tri - au+bfi - u ^ (-l) Tr ( xLb ^ 
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where 

L b (u) := abu 2 " + a 2 " V"V"* + a^b 2 * u 2 ^ 3 + n 2 b 2 ' a 2 " 

• r/r'// 2 ' + vbu 2 " + w 2 lr ' ~ n 2 ^ 2 " ,r 5 + w 2 b 2 V 2 V\ 

Using the fact that l) Tr(c:r ) is when c ^ and 2 n otherwise, we 

obtain 

f{a,b) 2 = T Y^{-l) Triau+bf{u) , 

ueK 

where K denotes the kernel of L b (u). If the size of the kernel is at most 
4, then clearly 



< y^(_l)rr(ou+6/(u)) < 4 

Since /(a, 6) is an integer, this sum can only be 0, 2, or 4 if n is even, and 
1 or 3 if n is odd. The set of permissible values of f(a, b) is then 

{0,2^,-2^} when n is odd and {0, 2"/ 2 , -2"/ 2 , 2^, -2^} when n 
is even. 



?( ^J { °' ±2 * } 2tn 
t{a,b) e < 

\{0,±2?,±2^} 2 |n. 

We must now demonstrate that |_ftT| < 4, which is sufficient to complete 
the proof. 

Now suppose that L b (u) = 0. This gives 

b 2 ~ k L b (u) = b 2 ' k - 2k ' s a 2 '\b 2 ' s+2k ' s u 2 ' s + lr" '- 2 " V 

+u; 2- 6 2-. + 2*-. a 2*- V * + u ,2-V fc -+ 2 - fc -a 2 - fc - U 2 - fc ) 
+a 2- fc6 2 fc+2 -* u 2- fc+ . + a6 2-*+l u 2« + u6 2 fc +2-* u 2* + ^"^l^"* = Q (1) 

Next we let = a 2 ^ 2 ^ 2 ^, = 6 2 - s + 2 ^ s (^ s + ^a^V*) and 

r(-u) = fr 2fc + 2 k {yu 2k + a 2 fe -u 2 fc+s ). Equation (1) now becomes 

r fc l 6 (n)=r(n) + r(n) 2t + ^(u) + ^) 2t )=0 (2) 



For convenience we will write r{u) and t(u) as r and t. We have, 
^ = b 2 +z (u 2 + wa z u ). 

This implies 

t 2k+s +wr = b 2k+2 ' k (l + vw)u 2 \ (3) 

We also get 

vt 2k+s + r = 6 2fc+2 "(l + vw)a 2 ' k u 2 ' k+s . (4) 
Equation (3) implies 

u = b- l - 2k {l+vw)-\t 2S +wr 2 - k ), 
while Equation (4) gives 

u = b- 2 ~ k - a - 2 -\l + vw)- 2 ' s a- 2 ' s (v 2 ' s r k + r 2 "- 3 ). 
Combining these two expressions for u yields 

9z(t 2S +wr 2 - k ) = v 2 ' s t 2 ' k +r 2k -\ 

where z = (1 + vw) 2 s ~ l (b 2 + 2 + 1 ) 2 s ~ 1 . Note z € GF(2 k ). We rearrange 
and multiply by + 6> 2 to obtain 

(0 + ^(wzfr + v 2 "'*) = + e 2 - k ){6 2k zt 2k+s + r 2 "^). (5) 

We claim that 6 + 8 2 ~ k is not zero. If 9 = 8 2 ~" then a 2 "" 1 = &(2 fc+s -i)(2 fc -2-^ 
As k + s is divisible by 3, 2 k+s — 1 is divisible by seven. This implies a is 
a seventh power contradicting its primitive status and the claim is proven. 
From Equation (2) we have 

r + r 2k = 9(t + t 2k ) 

From this equation and using the fact that relative trace mapping from 
GF{2 3k ) to GF(2 k ) (denoted by Tr k ) is zero for any field element of the 
form 5 + 5 , we derive the following 

Tr k (9(t + t 2k )) = Tr k (9-\r + r 2 ")) = 0. 
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As Tr k (cg) = cTr k (g) for c e GF(2 k ) and 2 fc +2*+i e GF(2 k ) we can say 

Tr k ((e + e 2 ~ k )t) = Tr k (e 2k (9 + e 2 - k )r) = 0. (6) 

Therefore the left hand side of Equation (5) has relative trace of zero, which 
implies the right hand side of Equation (5) has relative trace of zero also. 
That is, 

Tr k ((6 + 6 2 - k )(6 2k zt 2k+s + r 2 ^ )) = 0. 

We write this as 

z((0 + e 2-^ d 2 k t 2^ + ( d + 02-yg2- k t>- k+ ' + (9 + 9 2 ~ k f~ k 9t 2S ) 

= (e + 9 2 - k )r 2 - k - s + (9 + e 2 - k fr 2 - s + (9 + Q 2 - k f- k r 2k - s . (7) 
From Equation (6) we obtain 

^ 2 -fc+ s _ ^ _|_ 02-*^2 s -2- fc + S £2 s _)_ ^ _|_ ^2- fc ^2 fc + s -2-' i: + 3 ^2' c + s 

r 2 =6 2 ~ 2 (9 + 9 2 Y ~ 2 r 2 +9 2 ~ 2 (9 + 9 2 ) 2 ~ 2 r 2 . 
Substituting these expressions for t 2 k+s and r 2 k s into Equation (7) we get 
z (((0 + 9 2 - k )9 2k + (9 + {9 + 2-* ) 2* + .-2-* + . )t 2* + . + 

((^ + 2-*)2-^ + + Q2-y9 2 - k (9 + 2-* ) 2'-2-*+' )t 2« ) 
= ((0 + ^) 2fc + (0 + ^^"^"{O + 2-* )2 --2-*- )r 2- + 
((^ + 2-* )2 -* + (fl + 2-*^2-*--2-^ + 2-* ) 2*--2-*- )r 2*-_ 

We multiply across by (0 + # 2 fc ) 2 fc s+2 k+s 9 2 s and obtain 

z (0 + 9 2 ' k ) 2 ' k ' a 9 2 '\{{9 + 02-*)2-*+. + l 2* + (0 + 2-* ) 2*+.+2^2-* )t 2*+« 
+ ((0 + 02-* )2 -*+'+2-*0 + (0 + 2-* ) 2.+2* 2-* )i 2. ) = 

+ e 2 ~") 2 ~ k+ '(((9 + 9 2 - k f- k - s+2k 9 2 ~ s + (9 + p-y-+w-'y-' 

+ ((0 + 02-* )2 -*-+2-*02- + ( fl + 2-* ) 2*-+l 2-*- )r 2*- ) _ 

8 



Letting P(9) = (e+e 2 "*) 2 "* +i+1 2fc + (0+0 2 " fc ) 2fc+ * +2fc e 2 "*, the above equation 
becomes 

z (0 + ^ fc ) 2 - fc -^ 2 - s (P(^)t 2fc+s + P(6) 2 - k t 2S ) 

= (e+e 2 - k ) 2 - k+s (p(6) 2 - k - a r 2 - s +p(ef- s r 2k - s ). (8) 

We claim that P{6) is a non zero element of GF(2 k ). Setting P(9) equal to 
zero yields 

This implies 

Q2 k -2~ k _ ^_ Q2- k ^{2 k+s -l){l-2 k ) 

Therefore Q 2k - 2 ~ k is a seventh power. But 9 2k ~ 2 ~ k = ^ a j^ k (2 k + s -i)y k -2- k ^ 
which would require a to be a seventh power also, which its not. Hence 
P{9) ± 0. 

To see that P{9) G GF(2 k ), we multiply the expression out and refactor 
as follows. 

P(9) = (9 + e 2 ~ k ) 2 ~ k+s (e + e 2 ~ k )e 2k + {9 + 9 2 ~ k f +s (e + 9 2 ~ k f9 2 ~ k . 

This implies 

P(9) = (9 2 ~ k+s + 9 2k+s )(0 2k+1 + 9 2 " +2k ) + (9 2S + 9 2k+s )(9 2 ~ k+1 + 9 2 ~ k+2k ), 
which becomes 

P(9) = 9 2S (9 2 ~ k+1 + 9 2 " +2k ) + 9 2k+s (9 2k+1 + 9 2 " +1 ) + 9 2 - k+s (0 2k+2 ~ k + 9 2 " +l ). 
We can write this as 

P(9) = Tr k (9 2S (9 2 ' k+1 + 9 2 ' k+2k )), 

hence P(9) e GF(2 k ) and the claim is proven. 
Now Equation (8) becomes 
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Using Equation (2) and raising by 2 s we obtain an equation in (t + t 2 ), 

^{e + e 2 - k f- k ~ 2 - k+2a p{ef s -\t + t 2k f s + {t + t 2k ) = o, 

which by Lemma 1 can have no more than two solutions for (t + t 2k ) when 
n is odd and no more than four solutions for (t + t 2k ) when n is even. This 
restriction on (t + t 2k ) is crucial and will be used to complete the proof, but 
first we consider the following two expressions which come from Equations 
(3) and (4) respectively, 

Bu = t + wr , 

o — s _,o — k — s o — S r) — k rtk — S 

a B u — v 2 t 2 +r 2 , 
where B — (1 + vw)b 2k+1 . From these we obtain 

Bu + B 2k u 2k = (t + t 2k f s + w(r + r 2k ) 2 - k , 
o?- s B 2 - k - s u + a 2k - s B 2 ~ s u 2k = v 2 ~ 8 (t + t 2k f- k + (r + r 2k f- a . 

rik 

Next we eliminate the u term in these equations to give the following 

(a 2k - s B 2 ~ s+1 + a 2 ' 3 B 2 ~ k - s+2k )u = B 2 ' {v 2 ~ s {t + t 2 ') 2 ^ + (r + r 2 *) 2 ^) 

+ a 2k ~ s B 2 -\(t + t 2k f + w(r + r 2k f- k ). (9) 

We let D = a 2k ~ s B 2 ~ s+1 + a 2 ~ 3 B 2 ~ k ~ s+2k and note that D is not zero as D = 
implies a 2fe ~ s - 2 ~ s = s 2 ^^- 2 ^- 1 = jB (2 fc +-i)(2-- 2 -'=-) j which again 

contradicts the fact that a is primitive. Therefore we may write Equation 

(9) as 

u = D-\B 2k {v 2 - s (t + t 2k f- k + (r + r 2k f- s ) 

W k ~ 3 B 2 -\{t + t 2k f s + w(r + r 2k f- k )). 

We now use Equation (2) to substitute the r + r 2k terms for 9{t + t k ) and we 
obtain 

u = D-\B 2k {v 2 - s {t + t 2 *) 2 " + (9(t + t k )f- s ) 

+a 2k ~ s B 2 - s ((t + t 2fc ) 2S + w(6(t + t k )) 2 - k )). 

Recall t + t 2k can only take two values when n is odd and four when n is 
even, hence the above equation shows that u must have at least the same 
restrictions and the proof is complete. 
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